1. Technical Field
The present invention relates generally to management of user sessions in a federated environment.
2. Background of the Related Art
Federated environments are well known in the art. U.S. Publication No. 2006/0021018, filed Jul. 21, 2004, is representative. A federation is a set of distinct entities, such as enterprises, organizations, institutions, or the like, that cooperate to provide a single-sign-on, ease-of-use experience to a user; a federated environment differs from a typical single-sign-on environment in that two enterprises need not have a direct, pre-established, relationship defining how and what information to transfer about a user. Within a federated environment, entities provide services that deal with authenticating users, accepting authentication assertions (e.g., authentication tokens) that are presented by other entities, and providing some form of translation of the identity of the vouched-for user into one that is understood within the local entity. Federation eases the administrative burden on service providers. A service provider can rely on its trust relationships with respect to the federation as a whole; the service provider does not need to manage authentication information, such as user password information, because it can rely on authentication that is accomplished by a user's authentication home domain or an identity provider.
A federated entity may act as a user's home domain, which provides identity information and attribute information about federated users. An entity within a federated computing environment that provides identity information, identity or authentication assertions, or identity services is termed an identity provider. Other entities or federation partners within the same federation may rely on an identity provider for primary management of a user's authentication credentials, e.g., accepting a single-sign-on token that is provided by the user's identity provider; a domain at which the user authenticates may be termed the user's (authentication) home domain. An identity provider is a specific type of service that provides identity information as a service to other entities within a federated computing environment. With respect to most federated transactions, an issuing party for an authentication assertion would usually be an identity provider; any other entity can be distinguished from the identity provider. Any other entity that provides a service within the federated computing environment can be categorized as a service provider. Once a user has authenticated to the identity provider, other entities or enterprises in the federation may be regarded as merely service providers for the duration of a given federated session or a given federated transaction.
Digital rights management (DRM) is a well-known technology for securing digital content. DRM works by encrypting content before distribution, and by limiting access to only those end-users who have acquired a proper license to play the content. Typically, the DRM license enforcement is done at the player/client. A complete DRM system typically comprises several parts: encryption, business-logic and license-delivery. DRM starts by encrypting the content. Once the content is encrypted, a key is required to unlock (decrypt) the content. The encrypted content can be delivered to the end user through well-known delivery methods. Typically, an end-user who desires to obtain the content visits an e-commerce web site and transacts with the business-logic process, usually involving one of registration, login, and/or payment; once this is done, the end-user is issued a license to play the content. The issued license typically comprises (i) a key (for decrypting the content), (ii) a set of rights (e.g. play exactly once, play for 30 days, or the like), and (iii) with the property that the license is valid only on the end-user machine to which it is issued. When an end-user attempts to play the DRM-protected content, the player first checks to see whether the license exists on the local machine; if so, the playback starts by decrypting the content. If a license is not found, the player attempts to get a license, typically from the storefront URL that is embedded in the content.